Following CANs list <=8.0.1 as affected: <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0244> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0245> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0246> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0247> 244 and 246 appear to be fixed according to the 8.0.1 changelog, maybe someone can verify that. (Additional) patches for 245 and 246 seem to have been introduced after the release though. postgresql team, pls verify|patch|advise
Ubuntu fixed those with USN-79-1 http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0138.html
Confirming fixed in 7.4.7 : CAN-2005-0227 CAN-2005-0244 CAN-2005-0246 They also fixed : "Avoid buffer overrun when plpgsql cursor declaration has too many parameters (Neil)" This appears to be CAN-2004-0245. This leaves CAN-2004-0247 to treat, the patch for 7.4.7 can be found at : http://developer.postgresql.org/cvsweb.cgi/pgsql/src/pl/plpgsql/src/gram.y.diff?r1=1.48.2.1;r2=1.48.2.3;only_with_tag=REL7_4_STABLE postgresql maintainers: You might want to also patch 8.0.1 using : http://developer.postgresql.org/cvsweb.cgi/pgsql/src/pl/plpgsql/src/gram.y.diff?r1=1.64.4.1;r2=1.64.4.3;only_with_tag=REL8_0_STABLE
Of course it is CAN-2005-0247 and not CAN-2004-0247. Koon what is the status of CAN-2005-0245, is it fixed already? GLSA drafted, Security please review.
Apparently yes. It's the same file anyway, so patching the last one will surely solve both.
I've applied the patche in postgresql-7.3.9-r1.ebuild postgresql-7.4.7-r1.ebuild postgresql-8.0.1-r1.ebuild.
Arches please test and mark stable. Target keywords: postgresql-7.3.9-r1.ebuild:KEYWORDS="x86 ppc sparc alpha amd64 hppa ia64 mips" postgresql-7.4.7-r1.ebuild:KEYWORDS="x86 ppc sparc mips alpha arm hppa amd64 ia64 s390 ppc64" postgresql-8.0.1.ebuild:KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~s390 ~ppc64" (Already there).
Stable on ppc.
stable on ppc64
It's already stable on x86
Stable on alpha.
stable on amd64
sparc stable.
GLSA-200502-19 arm, hppa, ia64, mips please remember to mark stable.
Stable on hppa.
Stable on mips.